Talos IntelligenceTALOS-2018-0705CleanMyMac X moveItemAtPath privilege escalation vulnerability
6.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:C/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
5.1%
Summary
An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
Tested Versions
Clean My Mac X 4.04
Product URLs
<https://macpaw.com/cleanmymac>
CVSSv3 Score
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE
CWE-19: Improper Input Validation
Details
CleanMyMac X is an all-in-one cleanup and optimization tool for the Mac operating system. The application is able to scan the system and user directories, looking for unused and leftover files and applications. The applications also markets the ability to help detect and prevent viruses and malware on OS X. The software utilizes a privilege helper tool running as root to get this work done faster. This allows the application to remove and modify system files.
The vulnerability arises in the moveItemAtPath function of the helper protocol. The code for this function is:
at_path = objc_retain(a3);
to_path = objc_retain(a_4);
v9 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
v10 = (void *)objc_retainAutoreleasedReturnValue(v9);
v13 = 0LL;
v15 = objc_msgSend(v10, "advancedMoveItemAtPath:toPath:error:", at_path, to_path, 0LL);
At location [0], a user-supplied argument is passed into the function advancedMoveItemAtPath. By supplying nil in the to_path argument, the file is then deleted. There is no validation of the calling application thus any application is able to access this function and because this is a privileged helper it runs as root. This crosses a privilege boundary allowing non-root users to delete files from the root file system.
Exploit Proof of Concept
Included with this advisory is an Xcode project, as well as a Python script. The Python script needs an administratorβs password to set up some root files on the system before exploiting the vulnerabilities. The Xcode project contains the proof of concept.
Timeline
2018-11-09 - Vendor Disclosure
2018-12-27 - Vendor Patched
2019-01-02 - Public Release
Related
6.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:C/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
5.1%